Authorization Federation in IaaS Multi Cloud

Transcription

1 Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC

2 Why Multi Cloud? Collaboration of organizations across clouds. Organizations with resources across multiple clouds. 2

3 Scope of Contribution Cloud Federation Service SaaS PaaS IaaS Platform Homogenous Heterogeneous Trust Circle-of-Trust Peer-to-Peer Coupling Authentication Federation Authorization Federation 3

4 Multi Cloud Collaboration Cloud Federation Service (IaaS, PaaS, SaaS) Heterogeneous: Google account (Open ID 2.0) Heterogeneous within google. Homogenous: Eduroam federated network access. Platform Trust Heterogeneous: OpenStack federation with AWS. Homogenous: Keystone to Keystone federation. Circle-of-Trust: Alliance of institutions for sharing scientific data such as CERN. Peer-to-Peer: Best Buy federating with Rackspace. Coupling Identity Federation: SAML, OAuth, OpenID, SSO. Authorization Federation: SAML, OAuth. 4

5 Trust Framework Trust Coupling Circle-of-Trust Peer-to-Peer Initiation Bilateral Unilateral Direction Bidirectional Unidirectional Transitivity Non-Transitive Transitive 5

6 Concept of Trust Four trust types: TTTTTTTT αα: (Trustor grants inter-cloud access to trustee) If AA αα BB, cloud AA is authorized to assign BB s users to cloud AA s resources. In such trust type, AA controls trust relation existence and cross-cloud assignments. TTTTTTTT ββ: (Trustee grants inter-cloud access to trustor) If AA ββ BB, cloud BB is authorized to assign AA s users to its resources. In such trust type, AA controls trust relation and BB controls cross-cloud assignments. TTTTTTTT γγ: (Trustee takes inter-cloud access to trustor) If AA γγ BB, cloud BB is authorized to assign its users to cloud AA s resources. In such trust type, AA controls trust relation and BB controls cross-cloud assignments. TTTTTTTT δδ: (Trustee controls intra-cloud access to trustor) If AA γγ BB, cloud BB is authorized to assign AA s users to AA s resources. In such trust type, AA controls trust relation and BB controls intra-cloud assignments within AA. 6

7 Administrative Realms 7

8 Multi Cloud Trust Three trust scopes based on administrative realms in cloud: Cross Cloud Trust Sharing cloud infrastructure resources, such as services. Cross Domain Trust Sharing domain resources such as projects. Cross Project Trust Sharing project resources such as VMs. 8

9 Cloud Trust Enables sharing cloud resources, services and domains. Set of domains shared between clouds with trust type (for domain trust). Sharing services by creating private domains for service allocation. Trust relation in Cloud Trust is Peer-to-Peer, bilateral, bidirectional, nontransitive. 9

10 Domain Trust Enabling cross cloud access by assigning users to PRPs between trusted domains. Trust relations are Peer-to-Peer, unilateral, unidirectional, non-transitive. DD AA DD AA ββ DD BB DD BB UU 1 UU 2 UU 3 UU 4 UU 5 UU 6 PPPPPP 1 PPPPPP 2 PPPPPP 3 PPPPPP 4 PPPPPP 5 PPPPPP 6 10

11 Project Trust Enabling cross cloud access to service instances by assigning users to PRPs between trusted projects. Trust relations are Peer-to-Peer, unilateral, unidirectional, non-transitive. DD AA PPPPPP 2 γγ PPPPPP 5 DD BB UU 1 UU 2 UU 3 UU 4 UU 5 UU 6 PPPPPP 1 PPPPPP 2 PPPPPP 3 PPPPPP 4 PPPPPP 5 PPPPPP 6 VVVV 1 VVVV 2 VVVV 3 VVVV 4 VVVV 5 VVVV 6 11

12 Related Work RBAC extensions ROBAC (collaboration ins not supported). GB-RBAC (group does own users). Role Based delegation models Delegation chains lacks dynamicity of trust in cloud federation environments. Multi-tenant trust models in single cloud. MT-RBAC (Multi-Tenant RBAC). CTTM (Cross Tenant Trust model). OSAC-DT (OpenStack Access Control with Domain Trust). 12

13 Conclusion & Future Work Multi-cloud trust model Cloud trust. Domain trust. Project trust. Trust framework & trust types Four types of trust applicable to administrative realms in cloud. Implementation in single cloud Partial implementation of domain-trust in single cloud OpenStack. Future Work Cloud trust implementation. Implementation in federated OpenStack clouds. Project trust implementation. Hierarchical multi-domain model. Attribute based models. 13